OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]


So what I am hearing is that we may need multiple properties to do this correctly???  Based on this discussion maybe we do Admiralty Scale AND something else.  If they are both optional, then people can pick the one they want to use.  What I do not like is the idea of using random extensions to things.  That was in IMHO, one of the biggest failing points of STIX 1.x.  


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Sep 14, 2016, at 09:55, Joep Gommers <joep@eclecticiq.com> wrote:

 
 
 
 
Nicely said Dave.
 
Source reliability on intelligence content is an estimative judgement on the reliability of the sources used to derive that piece of intelligence from. Credibility about corroboration across those sources. In the context of STIX they are the judgement of the producer of this intelligence. It is up for any subsequent capability to judge it in a similar fashion.
 
Confidence is more an analysts estimate judgement. It appears in many different forms, but in intelligence its pretty much an industry standard to use Sherman Kent’s model;
Certain  100%      Give or take 0%  
Almost Certain    93%        Give or take about 6%
Probable               75%        Give or take about 12%
Chances About Even          50%        Give or take about 10%
Probably Not        30%        Give or take about 10%
Almost Certainly Not         7%          Give or take about 5%
Impossible            0              Give or take 0%
 
But it is not the SCALE the matters most it is the agreement among the STIX community WHAT the confidence estimation is for. E.g. confidence in maliciousness, confidence in the analysis provided (e.g. written), confidence in the correctness of attributes or relationships (structured). Generally confidence is provided as a confidence of the “correctness” of analysis whatever it is. Additionally, available on attributes.
 
So if STIX wants to facilitate the exchange of very commonly available intelligence sources if should at least:
1.       facilitate admiralty
2.       facilitate a generic confidence statement
3.       facilitate confidence as an extention to common components of entities such as malicious vs safe for certain attributes or anything else we feel relevant
 
If we follow Ken’t works on estimative probability it would be fine to use 0-100 scale IF its percentages. From which we can deduct, through a known and accepted standard the level equivelants.
 
Best regards,
Joep
 
 
 
 
 
 
From: <cti-stix@lists.oasis-open.org> on behalf of Dave Cridland <dave.cridland@surevine.com>
Date: Wednesday, September 14, 2016 at 4:02 PM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>
Cc: "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
 
I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equate to confidence, quite. The code divides into two, but one is the Source Reliability and the other is the Credibility of the particular event. 
 
The idea is that you can express "we think this is very plausible, though it is uncorroborated and our source is unreliable", versus "we think this is unlikely, but the source has been historically reliable". It feels, to my mind, that these might influence an overall confidence but they have considerable nuance, and I'm not convinced they're directly comparable, and the next steps - to improve confidence - are different in each case (the former case is "get corroboration", the latter might be "ask the source for more information").
 
On top of that, even if you pretend the likelihood scoring is a simple 1-5 confidence score (and 6 "I dunno"), then it's not clear it maps evenly across a linear scale - but it might.
 
Finally, even if you figure out a mapping to a single numeric score, you're never going to be able to map back.
 
On 13 September 2016 at 20:12, Jordan, Bret <bret.jordan@bluecoat.com> wrote:
I also think we should call out in the specification how you would map this to the Admiralty score.  This way, for people that want to do it, they all do it the same way.

 

Thanks,
 
Bret
 
 
 
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 
 
On Sep 13, 2016, at 13:09, Jordan, Bret <bret.jordan@BLUECOAT.COM> wrote:
 
As I just said in my last email, I think for things like this we just pre-define them in normative text. If you have a 1-5 scale, this is what it looks like, if you have a 1-3 scale, this is how it works.

 

Thanks,
 
Bret
 
 
 
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 
 
On Sep 13, 2016, at 06:34, Wunder, John A. <jwunder@mitre.org> wrote:
 
The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have:

1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed by ToolB. But was it actually confirmed by other sources?
2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……”

I’m not totally opposed btw, just wanted to point out some of these issues.

John

On 9/13/16, 7:42 AM, "cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" <cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu> wrote:

   On 13/09/16 12:31, Jason Keirstead wrote:

Yes, exactly.

The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.


   Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly
   for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.

   Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale
   and a clear description for analysts.

   [1] http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/
   [2] https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31

   -- 
   Alexandre Dulaunoy
   CIRCL - Computer Incident Response Center Luxembourg
   41, avenue de la gare L-1611 Luxembourg
   info@circl.lu - www.circl.lu

   ---------------------------------------------------------------------
   To unsubscribe from this mail list, you must leave the OASIS TC that 
   generates this mail.  Follow this link to all your TCs in OASIS at:
   https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 



 
 


 
-- 

Dave Cridland

phone  +448454681066
skype  dave.cridland.surevine

urevine

Participate | Collaborate | Innovate

Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND
If you think you have received this message in error, please notify us.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]